#60638 Conditionally use SHA-256 or MD5 for Gravatar hashing #8097
Conversation
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the Core Committers: Use this line as a base for the props when committing in SVN: To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
Test using WordPress PlaygroundThe changes in this pull request can previewed and tested using a WordPress Playground instance. WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser. Some things to be aware of
For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation. |
There was a problem hiding this comment.
As the test suite is run by various hosting providers, https://make.wordpress.org/hosting/test-results/, you'll need to make the tests conditional too.
The contents of tests/qunit/fixtures/wp-api-generated.js will vary depending on whether the system generating them uses md5 or sha256 so I am not sure what will be needed to handle that edge case.
|
Oh that's nasty. Good spot. In practice, do any hosts have |
|
I ask because if there are none then I would personally be happy to retain the hardcoded references to sha256 in the test suite. If we can get the minimum supported version of PHP bumped to 7.4 later this year then the issue goes away then anyway. |
Personally: I don't think so. The stats included in WP 6.1+ show that a single site in the data-set has The extension being disabled did cross my mind when I saw this originally, but thought it was already a required extension, due to the stats showing it being installed almost everywhere. Core does conditionally check for it in a few places, but PHPMailer doesn't (although it looks to be only in the HTML emails code paths, which is not at all run by many)
AFAIK, that's correct. I'm totally cool for this to be reverted and wait for PHP7.4 bump. |
I'd be very surprised if this is the case. I can't see why anyone would want to do this but I've been surprised before.
That's correct, there's no way to run them against a PR. I think commit and see is the best we can do. Reviewing the PHP stats, it appears likely we're a few months from being able to bump the minimum version. The KISS approach would be to revert the change and reapply it once the minimum is bumped as Automattic are retaining MD5 support for the foreseeable future. Hash lookup tables exist for all one way hashes, so the benefit of switching can wait. |
Being generous with the rounding error and assuming a few thousand sites don't have the extension available, I think it's fine to require the extension rather than do all this juggling. @johnbillion What do you think of a make post/trac ticket to discuss this so contributors can figure out if that's a better approach? |
Trac ticket: https://core.trac.wordpress.org/ticket/60638